Systems and methods for intelligent phishing threat detection and phishing threat remediation in a cyber security threat detection and mitigation platform

ABSTRACT

A system and method for accelerating a cybersecurity event detection and remediation includes extracting corpora of feature data from a suspicious electronic communication, wherein the corpora of feature data comprise at least one corpus of text data extracted from a body of the suspicious electronic communication; computing at least one text embedding value for the suspicious electronic communication; evaluating the text embedding values of the corpus of text data against an n-dimensional mapping of adverse electronic communication vectors, the n-dimensional mapping comprising a plurality of historical electronic communication vectors derived for a plurality of historical electronic communications; identifying whether the suspicious electronic communication comprises one of an adverse electronic communication based on the evaluation of the text embedding value, and accelerating a cybersecurity event detection by routing data associated with the suspicious electronic communication to one of a plurality of distinct threat mitigation routes.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/501,708, filed on 14 Oct. 2021, which claims the benefit of U.S.Provisional Application No. 63/091,409, filed 14 Oct. 2020, U.S.Provisional Application No. 63/092,307, filed 15 Oct. 2020, and U.S.Provisional Application No. 63/129,836, filed 23 Dec. 2020, which areincorporated herein in their entireties by this reference.

TECHNICAL FIELD

This invention relates generally to the cybersecurity field, and morespecifically to a new and useful cyber threat detection and mitigationsystem and methods in the cybersecurity field.

BACKGROUND

Modern computing and organizational security have been evolving toinclude a variety of security operation services that can often shift aresponsibility for monitoring and detecting threats in computing andorganizational resources of an organizational entity to professionallymanaged security service providers outside of the organizational entity.As many of these organizational entities continue to migrate theircomputing resources and computing requirements to cloud-based services,the security threats posed by malicious actors appear to grow at anincalculable rate because cloud-based services may be accessed throughany suitable Internet or web-based medium or device throughout theworld.

Thus, security operation services may be tasked with mirroring thegrowth of these security threats and correspondingly, scaling theirsecurity services to adequately protect the computing and other digitalassets of a subscribing organizational entity. However, because thevolume of security threats may be great, it may present one or moretechnical challenges in scaling security operations services withoutresulting in a number of technical inefficiencies that may prevent orslowdown the detection of security threats and efficiently responding todetected security threats.

Thus, there is a need in the cybersecurity field to create improvedsystems and methods for intelligently scaling threat and/or adversebehavior detection capabilities of a security operations service whileimproving its technical capabilities to efficiently respond to anincreasingly large volume of security threats to computing andorganizational computing assets.

The embodiments of the present application described herein providetechnical solutions that address, at least the need described above.

SUMMARY OF THE INVENTION(S)

In one embodiment, a method for accelerating a cybersecurity eventdetection and remediation includes extracting one or more corpora offeature data from a suspicious electronic communication sourced from asubscriber, wherein the one or more corpora of feature data comprise atleast one corpus of text data extracted from a body of the suspiciouselectronic communication; computing, by a text embedding model, at leastone text embedding value for the suspicious electronic communicationbased on the corpus of text data; evaluating the one or more textembedding values of the corpus of text data against an n-dimensionalmapping of a plurality of historical electronic communication vectors ofthe subscriber, the n-dimensional mapping comprising a plurality ofdistinct electronic communication vectors derived for the plurality ofhistorical electronic communications of the subscriber, wherein each ofthe plurality of distinct communications relates to an electroniccommunication that was deemed suspicious; identifying whether thesuspicious electronic communication comprises one of an adverseelectronic communication and a non-adverse electronic communicationbased on the evaluation of the one or more text embedding values of thecorpus of text data against the n-dimensional mapping of adverseelectronic communication vectors, wherein if the suspicious electroniccommunication comprises the adverse electronic communication,accelerating a cybersecurity event detection by routing data associatedwith the adverse electronic communication to one of a plurality ofdistinct cybersecurity threat mitigation routes.

In one embodiment, evaluating the text embedding value of the corpus oftext data against the n-dimensional mapping of adverse electroniccommunication vectors includes: identifying a subset of the plurality ofhistorical electronic communication vectors of the plurality ofhistorical electronic communications within a predetermined vectordistance radius of the text embedding value of the corpus of text data;and calculating a vector distance between the text embedding value andeach distinct vector within the subset of the plurality of historicalelectronic communication vectors.

In one embodiment, identifying whether the suspicious electroniccommunication comprises one of the adverse electronic communication andthe non-adverse electronic communication includes: identifying one ormore historical electronic communication vectors having a calculatedcosine distance that is less than or equal to a distance threshold,wherein the distance threshold comprises a maximum cosine distance valuefor indicating a relatedness between at least two distinct electroniccommunication vectors; and returning, via a cybersecurity interface, adistinct and historical electronic communication for each of the one ormore historical electronic communication vectors.

In one embodiment, at the cybersecurity interface: evaluating thesuspicious communication against the distinct and historical electroniccommunication for each of the one or more historical electroniccommunication vectors and validating the suspicious communication as theadverse electronic communication based on the evaluation via thecybersecurity interface.

In one embodiment, evaluating the text embedding value of the corpus oftext data against the n-dimensional mapping of adverse electroniccommunication vectors includes: defining a plurality of distinctpairwise between the text embedding value of the corpus of text data andeach of the plurality of historical electronic communication vectors ofthe n-dimensional mapping; and calculating a cosine distance for each ofthe plurality of distinct pairwise.

In one embodiment, identifying whether the suspicious electroniccommunication comprises one of the adverse electronic communication andthe non-adverse electronic communication includes: identifying one ormore historical electronic communication vectors of the plurality ofhistorical electronic communication vectors having a calculated cosinedistance from the text embedding value that is less than or equal to adistance threshold, wherein the distance threshold comprises a maximumcosine distance value for indicating a relatedness between at least twodistinct electronic communication vectors; and returning, via acybersecurity interface, a distinct and historical electroniccommunication for each of the one or more distinct electroniccommunication vectors.

In one embodiment, the computing, by the text embedding model, the atleast one text embedding value for the suspicious electroniccommunication based on the corpus of text data includes: computing adistinct text embedding value for each of a plurality of distinctsentences of the corpus of text data extracted from the body of thesuspicious electronic communication.

In one embodiment, evaluating the text embedding value of the corpus oftext data against the n-dimensional mapping of adverse electroniccommunication vectors includes: calculating an average text embeddingvalue for the corpus of text data based on the distinct text embeddingvalue of each of the plurality of distinct sentences of the corpus oftext data extracted from the body of the suspicious electroniccommunication; defining a plurality of distinct pairwise between theaverage text embedding value of the corpus of text data and each of theplurality of historical electronic communication vectors of then-dimensional mapping; calculating a cosine distance for each of theplurality of distinct pairwise; and identifying one or more historicalelectronic communication vectors of the plurality of historicalelectronic communication vectors having a calculated cosine distancefrom the average text embedding value that is less than or equal to adistance threshold, wherein the distance threshold comprises a maximumcosine distance value for indicating a relatedness between at least twodistinct electronic communication vectors.

In one embodiment, the method further includes computing, by a phishingmachine learning model, a cybersecurity threat inference comprising aphishing threat score based on an input of feature vectors derived fromthe one or more corpora of feature data from the suspicious electroniccommunication, wherein the phishing threat score indicates a likelihoodthat a target electronic communication comprises an adverse electroniccommunication or a malicious electronic communication.

In one embodiment, an algorithmic structure of the phishing machinelearning model comprises a plurality of distinct learnable parametersfor computing the cybersecurity threat inference that map at least tofeature vectors computed for each of (1) a text body of the suspiciouselectronic communication and a (2) domain of a sender of the suspiciouselectronic communication.

In one embodiment, the routing data associated with the suspiciouselectronic communication to one of the plurality of distinctcybersecurity threat mitigation routes is based on the evaluation of theone or more text embedding values of the corpus of text data of thesuspicious electronic communication against the n-dimensional mapping ofthe plurality of historical electronic communication vectors of thesubscriber.

In one embodiment, the routing data associated with the adverseelectronic communication to one of the plurality of distinctcybersecurity threat mitigation routes is based on the phishing threatscore, wherein each of a plurality of distinct score ranges of apotential phishing threat score is associated with each of the pluralityof distinct cybersecurity threat mitigation routes, the routingincludes: evaluating the phishing threat score against the plurality ofdistinct score ranges of the potential phishing threat score; andselecting a distinct cybersecurity threat mitigation route based on thephishing threat score having a score value that is within a distinctscore range of the distinct cybersecurity threat mitigation route of theplurality of distinct cybersecurity threat mitigation routes.

In one embodiment, the accelerating the cybersecurity event detectionincludes automatically bypassing one or more predetermined cybersecuritythreat investigation steps for resolving cybersecurity threats involvingone or more suspicious electronic communications.

In one embodiment, the evaluating the one or more text embedding valuesof the corpus of text data against the n-dimensional mapping of adverseelectronic communication vectors includes: performing a similaritysearch of the n-dimensional mapping of adverse electronic communicationvectors using the text embedding value of the corpus of text data; andreturning, via a cybersecurity interface, one or more historical adverseelectronic communications based on the similarity search.

In one embodiment, the evaluating the one or more text embedding valuesof the corpus of text data against the n-dimensional mapping of adverseelectronic communication vectors includes: identifying a cognate set ofhistorical adverse electronic communications based on computingsimilarity metric values using the text embedding value of the corpus oftext data and a plurality of adverse electronic communication vectors;and returning, via a cybersecurity interface, the cognate set ofhistorical adverse electronic communications.

In one embodiment, a system for accelerating a cybersecurity eventdetection and remediation includes a feature extractor implemented byone or more computers that extracts one or more corpora of feature datafrom a suspicious electronic communication, wherein the one or morecorpora of feature data comprise at least one corpus of text dataextracted from a body of the suspicious electronic communication; a textembedding system that computes, using a text embedding model, at leastone text embedding value for the suspicious electronic communicationbased on the corpus of text data; a cybersecurity event identificationsystem implementing by one or more computers that: evaluates the one ormore text embedding values of the corpus of text data against ann-dimensional mapping of adverse electronic communication vectors, then-dimensional mapping comprising a plurality of historical electroniccommunication vectors derived for a plurality of historical electroniccommunications, wherein each of the plurality of historicalcommunications relates to a malicious electronic communication with anunlawful intent; identifies whether the suspicious electroniccommunication comprises one of an adverse electronic communication and anon-adverse electronic communication based on the evaluation of the oneor more text embedding values of the corpus of text data against then-dimensional mapping of adverse electronic communication vectors,wherein if the suspicious electronic communication comprises the adverseelectronic communication, accelerating a cybersecurity event detectionby routing data associated with the adverse electronic communication toone of a plurality of distinct cybersecurity threat mitigation routes.

In one embodiment, the identifying whether the suspicious electroniccommunication comprises one of the adverse electronic communication andthe non-adverse electronic communication includes: identifying one ormore historical electronic communication vectors having a calculatedcosine distance that is less than or equal to a phishing distancethreshold, wherein the phishing distance threshold comprises a maximumcosine distance value for indicating a relatedness between at least twodistinct electronic communication vectors; and returning, via acybersecurity interface, a distinct and historical electronic phishingcommunication for each of the one or more historical electroniccommunication vectors.

In one embodiment, the method includes identifying an electronicsender's address based on the one or more corpora of feature data fromthe suspicious electronic communication, wherein the electronic sender'saddress identifies a communication address of a sender of the suspiciouselectronic communication; evaluating the electronic sender's addressagainst historical sender data associated with the plurality ofhistorical electronic communications; bypassing one or morepredetermined cybersecurity threat investigation steps for resolvingcybersecurity threats involving one or more suspicious electroniccommunications based on the evaluation of the electronic sender'saddress; and wherein routing data associated with the suspiciouselectronic communication to one of the plurality of distinctcybersecurity threat mitigation routes is based on the evaluation of theelectronic sender's address.

In one embodiment, the method includes identifying a corpus ofhistorical submissions of suspicious electronic communications of thesubscriber submitting the suspicious electronic communication;evaluating the corpus of historical submissions of suspicious electroniccommunications; computing an acceleration or deceleration of priorityfor the suspicious electronic communication based on the evaluation ofthe corpus of historical submissions of suspicious electroniccommunications; and prioritizing the suspicious electronic communicationwithin a queue of pending suspicious electronic communications based onthe computation of the acceleration or deceleration priority.

In one embodiment, the computing, by the text embedding model, the atleast one text embedding value for the suspicious electroniccommunication based on the corpus of text data includes: computing adistinct text embedding value for each of a plurality of distinctsentences of the corpus of text data extracted from the body of thesuspicious electronic communication; the evaluating the text embeddingvalue of the corpus of text data against the n-dimensional mapping ofadverse electronic communication vectors includes: calculating anaverage text embedding value for the corpus of text data based on thedistinct text embedding value of each of the plurality of distinctsentences of the corpus of text data extracted from the body of thesuspicious electronic communication; defining a plurality of distinctpairwise between the average text embedding value of the corpus of textdata and each of the plurality of historical electronic communicationvectors of the n-dimensional mapping; calculating a cosine distance foreach of the plurality of distinct pairwise; and identifying one or morehistorical electronic communication vectors of the plurality ofhistorical electronic communication vectors having a calculated cosinedistance from the average text embedding value that is less than orequal to a phishing distance threshold, wherein the phishing distancethreshold comprises a maximum cosine distance value for indicating arelatedness between at least two distinct electronic communicationvectors.

In one embodiment, the system includes a machine learning system that:computes, using a phishing machine learning model, a cybersecuritythreat inference comprising a phishing threat score based on an input offeature vectors derived from the one or more corpora of feature datafrom the suspicious electronic communication, wherein the phishingthreat score indicates a likelihood that a target electroniccommunication comprises an adverse electronic communication or amalicious electronic communication.

In one embodiment, the routing data associated with the suspiciouselectronic communication to one of the plurality of distinctcybersecurity threat mitigation routes is based on the phishing threatscore, wherein each of a plurality of distinct score ranges of apotential phishing threat score is associated with each of the pluralityof distinct cybersecurity threat mitigation routes, the routingincludes: evaluating the phishing threat score against the plurality ofdistinct score ranges of the potential phishing threat score; andselecting a distinct cybersecurity threat mitigation route based on thephishing threat score having a score value that is within a distinctscore range of the distinct cybersecurity threat mitigation route of theplurality of distinct cybersecurity threat mitigation routes.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates a schematic representation of a system 100 inaccordance with one or more embodiments of the present application;

FIG. 2 illustrates an example method 200 in accordance with one or moreembodiments of the present application;

FIG. 3 illustrates an example subsystem 300 of system 100 that includesa schematic representation of a phishing engine in accordance with oneor more embodiments of the present application;

FIG. 4 illustrates a schematic representation of a first implementationof one or more sub-components of the system 100 in accordance with oneor more embodiments of the present application; and

FIG. 5 illustrates a schematic representation of a second implementationof one or more sub-components of the system 100 in accordance with oneor more embodiments of the present application.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The following description of the preferred embodiments of the inventionsare not intended to limit the inventions to these preferred embodiments,but rather to enable any person skilled in the art to make and use thisinventions.

1. System for Remote Cyber Security Operations & AutomatedInvestigations

As shown in FIG. 1, a system 100 for implementing remote cybersecurityoperations includes a security alert engine 110, an automated securityinvestigations engine 120, and a security threat mitigation userinterface 130. The system 100 may sometimes be referred to herein as acybersecurity threat detection and threat mitigation system 100, asdescribed in U.S. patent application Ser. No. 17/488,800, filed on 29Sep. 2021, which is incorporated herein in its entirety by thisreference.

The system 100 may function to enable real-time cybersecurity threatdetection, agile, and intelligent threat response for mitigatingdetected security threats, as described in U.S. Provisional ApplicationNo. 63/091,409, which is incorporated herein in its entirety by thisreference.

1.1 Security Alert Engine [Josie]

The security alert aggregation and identification module 110, sometimesreferred to herein as the “security alert engine 110” may be in operablecommunication with a plurality of distinct sources of cyber securityalert data. In one or more embodiments, the module no may be implementedby an alert application programming interface (API) that may beprogrammatically integrated with one or more APIs of the plurality ofdistinct sources of cyber security alert data and/or native APIs of asubscriber to a security service implementing the system 100.

In one or more embodiments, the security alert engine 110 may include asecurity threat detection logic module 112 that may function to assessinbound security alert data using predetermined security detection logicthat may validate or substantiate a subset of the inbound alerts assecurity threats requiring an escalation and/or a threat mitigationresponse by the system 100.

Additionally, or alternatively, the security alert engine 100 mayfunction as a normalization layer for inbound security alerts from theplurality of distinct source of security alert data by normalizing allalerts into a predetermined alert format.

1.1.1 Security Alert Machine Learning Classifier

Optionally, or additionally, the security alert engine 110 may include asecurity alert machine learning system 114 that may function to classifyinbound security alerts as validated or not validated security alerts,as described in more detail herein.

The security alert machine learning system 114 may implement a singlemachine learning algorithm or an ensemble of machine learningalgorithms. Additionally, the security alert machine learning system 114may be implemented by the one or more computing servers, computerprocessors, and the like of the artificial intelligence virtualassistance platform no.

The machine learning models and/or the ensemble of machine learningmodels of the security alert machine learning system 114 may employ anysuitable machine learning including one or more of: supervised learning(e.g., using logistic regression, using back propagation neuralnetworks, using random forests, decision trees, etc.), unsupervisedlearning (e.g., using an Apriori algorithm, using K-means clustering),semi-supervised learning, reinforcement learning (e.g., using aQ-learning algorithm, using temporal difference learning), and any othersuitable learning style. Each module of the plurality can implement anyone or more of: a regression algorithm (e.g., ordinary least squares,logistic regression, stepwise regression, multivariate adaptiveregression splines, locally estimated scatterplot smoothing, etc.), aninstance-based method (e.g., k-nearest neighbor, learning vectorquantization, self-organizing map, etc.), a regularization method (e.g.,ridge regression, least absolute shrinkage and selection operator,elastic net, etc.), a decision tree learning method (e.g.,classification and regression tree, iterative dichotomiser 3, C 4.5,chi-squared automatic interaction detection, decision stump, randomforest, multivariate adaptive regression splines, gradient boostingmachines, etc.), a Bayesian method (e.g., naïve Bayes, averagedone-dependence estimators, Bayesian belief network, etc.), a kernelmethod (e.g., a support vector machine, a radial basis function, alinear discriminate analysis, etc.), a clustering method (e.g., k-meansclustering, expectation maximization, etc.), an associated rule learningalgorithm (e.g., an Apriori algorithm, an Eclat algorithm, etc.), anartificial neural network model (e.g., a Perceptron method, aback-propagation method, a Hopfield network method, a self-organizingmap method, a learning vector quantization method, etc.), a deeplearning algorithm (e.g., a restricted Boltzmann machine, a deep beliefnetwork method, a convolution network method, a stacked auto-encodermethod, etc.), a dimensionality reduction method (e.g., principalcomponent analysis, partial least squares regression, Sammon mapping,multidimensional scaling, projection pursuit, etc.), an ensemble method(e.g., boosting, bootstrapped aggregation, AdaBoost, stackedgeneralization, gradient boosting machine method, random forest method,etc.), and any suitable form of machine learning algorithm. Eachprocessing portion of the system 100 can additionally or alternativelyleverage: a probabilistic module, heuristic module, deterministicmodule, or any other suitable module leveraging any other suitablecomputation method, machine learning method or combination thereof.However, any suitable machine learning approach can otherwise beincorporated in the system 100. Further, any suitable model (e.g.,machine learning, non-machine learning, etc.) may be used inimplementing the security alert machine learning system 114 and/or othercomponents of the system 100.

1.2 Automated Investigations Engine [Ruxie]

The automated security investigations engine 120, which may be sometimesreferred to herein as the “investigations engine 120”, preferablyfunctions to automatically perform investigative tasks for addressingand/or resolving a security alert or security event. In one or moreembodiments, the investigations engine 120 may function to automaticallyresolve a security alert based on results of the investigative tasks.

In one or more embodiments, the investigations engine 120 may include anautomated investigation workflows module 122 comprising a plurality ofdistinct automated investigation workflows that may be specificallyconfigured for handling distinct security alert types or distinctsecurity events. Each of the automated investigation workflowspreferably includes a sequence of distinct investigative and/or securitydata production tasks that may support decisioning on or a disposal of avalidated security alert. In one or more embodiments, the investigationsengine 120 may function to select or activate a given automatedinvestigation workflow from among the plurality of distinct automatedinvestigation workflows based on an input of one or more of validatedsecurity alert data and a security alert classification label. That is,in such embodiments, one or more of the plurality of automatedinvestigation workflows may be mapped to at least one of a plurality ofdistinct validated security alerts or events, such that a detection ofthe validated security alert or event automatically causes an executionof a mapped or associated automated investigation workflow.

Additionally, or alternatively, the investigations engine 120 mayinclude an investigations instructions repository 124 that includes aplurality of distinct investigation instructions/scripts orinvestigation rules that inform or define specific investigation actionsand security data production actions for resolving and/or addressing agiven validated security alert. In one or more embodiments, theinvestigations instructions repository 124 may be dynamically updated toinclude additional or to remove one or more of the plurality of distinctinvestigation instructions/scripts or investigation rules.

1.3. Security Mitigation User Interface [Workbench]

The security mitigation user interface 130 may function to enable ananalyst or an administrator to perform, in a parallel manner,monitoring, investigations, and reporting of security event incidents,and/or resolutions to subscribers to the system 100 and/or serviceimplementing the system 100. In some embodiments, an operation of thesecurity user interface 130 may be transparently accessible tosubscribers, such that one or more actions in monitoring, investigation,and reporting security threats or security incidents may be surfaced inreal-time to a user interface accessible, via the Internet or the liketo a subscribing entity.

Accordingly, in or more embodiments, an administrator implementing thesecurity mitigation user interface 130 may function to make requests forinvestigation data, make requests for automated investigations to theautomated investigations engine 120, obtain security incident statusdata, observe or update configuration data for automated investigations,generate investigation reports, and/or interface with any component ofthe system 100 as well as interface with one or more systems of asubscriber.

Additionally, or alternatively, in one or more embodiments, the securitymitigation user interface 130 may include and/or may be in digitalcommunication with a security alert queue 135 that stores andprioritizes validated security alerts.

1.4 Phishing Engine::Phishing Detection+Phishing Threat RemediationSubsystem [Phishing Workflow]

In one or more embodiments, the system 100 includes a phishing engine orsubsystem 300 for detecting malicious communications and producingintelligence for rapidly remediating cybersecurity threats resultingfrom detected malicious communication threats.

In a preferred embodiment, the subsystem 300 includes a featureextractor, an embedding modules, and a similarity modules, as shown byway of example in FIG. 3. In this preferred embodiment, the featureextractor may function to receive, as input, electronic communicationdata and extract content data (e.g., an email body or the like) from theelectronic communication data. In some embodiments, the featureextractor additionally or alternatively includes a pre-processing moduleor unit that functions to pre-processing the content data in preparationfor an embedding service or the like.

In one or more embodiments, the embeddings module may function tocompute or generate word and/or sentence embeddings (i.e., semanticvector values) based on the content data extracted from the electroniccommunication data. In such embodiments, the embeddings module may beimplemented with an external embeddings (e.g., Bert-as-a-service or thelike) that communicates with the embeddings modules to generate wordand/or sentence embeddings.

In one or more embodiments, the similarity module may function tocompute similarity metric values based on an evaluation of the embeddingvalues of the content data. In some embodiments, the similarity modulemay include and/or have access to a database storing one or more corporaof historical electronic communication data (e.g., historical maliciouscommunications, non-malicious communications (e.g., marketing emails,etc.), and/or the like).

2. Method for Automated Phishing Detection|Phishing Threat IntelligenceGeneration|Cybersecurity Investigation Support

As shown in FIG. 2, a method 200 for automated phishing detection andphishing threat mitigation includes receiving one or more electroniccommunications data S205, feature data extraction and preprocessingS210, generate word embeddings and/or sentence embeddings forcommunication corpus S220, compute similarity score for target emailS230, and [return email with highest score] identify whether remediatecybersecurity threat S240. The method 200 may additionally includecomputing a machine learning-based phishing threat score S235.

The method 200 preferably includes one or more techniques foridentifying fraudulent communications and/or messages and generatingintelligent insights based on the discovered fraudulent digitalcommunications that enhances an expediated triage or remediation of anidentified cybersecurity threat. In one or more embodiments, the method200 may be triggered and/or automatically initialized based on alertsignals triggering an automated phishing workflow (e.g., Phishing_WF),as illustrated by example in FIGS. 4 and 5.

2.05 Phishing Data Collection

S205, which includes receiving and/or collecting phishing communicationdata, may function to receive one or more electronic communications. Theone or more electronic communications (e.g., phishing communications,scam communications, marketing communications, etc.) may include and/orrelate to a communication generated with malicious and/or fraudulentintent for purposes of committing one or more fraudulent acts orotherwise, performing one or more malicious attacks based on informationobtained from and/or actions performed by the recipient of theelectronic communication. The one or more electronic communications maybe communicated through any suitable digital medium including, but notlimited to, email, chat messaging, SMS, software applications (e.g.,Slack, Teams, etc.), social networking messages, video messaging, and/orthe like.

In one or more embodiments, S205 may function to collect the one or moreelectronic communications from a target end user and/or a targetrecipient (or target end user's computing system) of the one or moreelectronic communications. In one implementation, the target recipientmay simply forward a suspected and/or confirmed malicious electroniccommunication message to a service or system implementing the method200. In such embodiments, the forwarding may be made to a designatedelectronic address for collecting electronic communication messages thatmay be malicious.

In another implementation, S205 may function to collect or receive theone or more electronic communications based on a selection of anelectronic reporting feature or link. In this implementation, a targetrecipient of the one or more electronic communications may function toselect a phishing reporting feature within an electronic communicationinterface (e.g., email inbox or the like) that may automatically route asubject (suspected or confirmed malicious) electronic communicationmessage to a system, repository, and/or service.

In one embodiment, if a target recipient opens a potential maliciouselectronic communication, a phishing reporting link or electronicallydisplayed featured may be made available and selected forreporting/forwarding the potentially malicious electronic communicationto a threat detection and remediation service implementing the method200. Additionally, or alternatively, a phishing reporting link may beselected for reporting a potential malicious communication in anunopened state. That is, even if the potential malicious communicationhas not been opened and/or the contents of the communication read by thetarget recipient, the target recipient may select the potentiallymalicious communication and further select the phishing reporting email,which together would function to transmit or forward the potentiallymalicious communication data for evaluation and/or threatdetection/remediation.

In yet a further implementation, S205 may function to collect or receiveelectronic communication data that is suspected as being malicious orfraudulent via a suspected threat reporting application programminginterface (API). In one or more embodiments, the threat reporting APImay enable an integration with third-party service providers and/orsubscribers to a threat service/platform implementing the system 100and/or method 200. In use, any party, including but not limited tosubscribers and third-party vendors, the threat reporting APIintegration may directly report a suspected malicious electroniccommunication or any other electronic communication data that may beuseful for identifying threats and/or suspicious behaviors.

Additionally, or alternatively, the electronic communication reportingdata may include an indication of whether the target recipient succumbedto or was tricked by the content of the electronic communication. In oneor more embodiments, in which the target recipient succumbed to anattack of a malicious communication, the electronic communicationreporting data may further include details of the exposure including,but not limited to, details relating to login credentials provided, datafiles or packets that may have been downloaded, and/or any suitableprotected or confidential information that may have been shared as aresponse to interfacing with the electronic communication.

2.10 Feature Extraction+Preprocessing

S210, which includes implementing a multi-segment extraction of asubject electronic communication, may function to extract features fromand process a received electronic communication. In one or moreembodiments, S210 may function to implement a feature extractor that mayfunction to extract one or more predetermined features from theelectronic communication data.

2.12 Electronic Communication Component Extraction

In one or more embodiments, the electronic communication may include anInternet-based communication, such as an email. In such embodiments, apotentially malicious email may include multiple distinct segments ordistinct components including, but not limited to, a content body, oneor more domains or sender electronic address, one or more attachments,one or more hyperlinks (e.g., unsubscribe link), one or more images ormedia, color variation, and/or the like. Additionally, or alternatively,a target electronic communication may include and/or be appended withsubmitter information or data that identifies a subscriber or the liketo a cybersecurity service implementing the system 100 and/or the method220. In such embodiments, S210 includes S212, may function to extracteach distinct feature and/or email component from the emailcommunication including at least an email body (e.g., email content),the domain of the sender of the email, and attachment types includedwith the email.

Additionally, or alternatively, S210 may function to extract eachdistinct component of a subject electronic communication into distinctcorpora or groups. In this way, each distinct component may beadditionally processed along a distinct track. Accordingly, in one ormore embodiments, S210 may function to enumerate at least two distinctcorpora or groups of communication components that includes a firstcorpus of content data that may be made available to an automatedworkflow for identifying malicious or non-malicious content and a secondcorpus of assorted communication data that may be made available forevaluation in investigation support for an analyst or the like. Thecorpus of assorted electronic communication data preferably includes allother extractable features or components of a subject electroniccommunication that may provide positive or negative signals except thecontent data of the content of the subject communication. For example,if the electronic communication comprises an email communication, S210may function to extract content features (i.e., the written messageand/or media within a body of the email) into a first corpus of contentdata and extract sender email domain, attachments, hyperlinks, and/orthe like into a second corpus of assorted email components.

Additionally, or alternatively, S210 may function to extract submitter(identification) data associated with a target electronic communication.In such embodiments, S210 may function to use submitter identificationdata or the like to identification and retrieve previous or historicalsubmissions of suspicious electronic communications and the like.Accordingly, S210 may function to create a corpus of submitter dataand/or augment the corpus of assorted electronic communication data withdata relating to the submitter of the target electronic communicationand/or that includes data relating to the historical submissions by thesubmitter.

2.14 Content Processing

Additionally, or alternatively, S210 includes S214, which includespre-processing the corpus of content data, may function to, in advanceof a computation or extraction of word and/or sentence embeddings fromthe corpus of content data, filter or clean from the corpus extraneousfeatures. In this way, a word and/or sentence embedding service orcomponent may function to convert the corpus of content data into vectorvalues without difficulty and with improved accuracy. For example, S210may function to remove or process out of any written content within asubject corpus of content data one or more of punctuation and extraneouscharacters (e.g., brackets, apostrophes, computation signs,non-alphanumeric characters, and/or the like).

In one variant implementation, S210 may function to initially identifyhomoglyphic text elements or homoglyphic words within the corpus ofcontent data. For each identified homoglyphic element identified, S210may function to identify a potential intended and/or real term andcompute a word embeddings value or sentence embeddings value of a givenword or text string in which the intended or the real term may be usedas a substitute for the homoglyphic element. That is, in someembodiments, because a homoglyphic element may be misspelled orotherwise includes a like or similar character to a real or intendedterm, an embeddings value may be computed that is not entirely accurateor that fails to capture the intended meaning of a target homoglyphicterm or element.

Similarly, to further improve embeddings values for a given corpus ofcontent data, in one or more embodiments, S210 may additionally functionto correct intentionally misspelled terms within the corpus of contentdata. For instance, in one or more embodiments, S210 may function toscan the corpus of content data for misspelled terms and automaticallygenerate a correct spelling for each misspelled term. S220 may functionto substitute the misspelled term with the correctly spelled term priorto generating the embeddings values for a subject corpus of contentdata.

2.20 Embeddings Generation

S220, which includes obtaining embeddings values based on content data,may function to convert the corpus of content data obtained from anelectronic communication to or generate vector representations or textrepresentations for at least a text component of the corpus of contentdata. In a preferred embodiment, S220 may function to implement oraccess a word, sentence or text embeddings service (e.g.,Bert-as-a-service) or an embeddings module (e.g., a component ofsubsystem 300) that may define part of a threat detection andremediation service or system implementing the systems (e.g., system100) and/or methods (e.g., method 200) described herein. S220, using aword and/or sentence embeddings generator, may function to generate oneor more text representations based on an input of the corpus of contentdata. That is, S220 may function to generate a plurality of distincttext representations in which words or a string of text (e.g., asentence or the like) having a similar meaning may have a similarrepresentation.

Accordingly, S220 may function to collect the corpus of content data,extract a plurality of distinct strings of text from the corpus ofcontent data, and compute text representations based on the strings oftext. Preferably, each distinct string of text (e.g., each distinctsentence or the like) extracted from the content data may be fed asinput into a sentence embeddings model that may function to map eachdistinct string of text to vectors of real numbers or the like inn-dimensional space.

In a first, preferred implementation, S220 may function to implement oruse a bidirectional encoder representation form transformers (BERT)model as a target word and/or sentence embeddings service or model forgenerating word/sentence embeddings for each of the plurality ofdistinct pieces of content of the corpus of content data. It shall berecognized that BERT may comprise a transformer-based machine learningtechnique for natural language processing. In this first implementation,S220 may function to generate word and/or sentence embeddings based onusing BERT-as-a-service. For example, a word and/or sentence embeddingsor language machine learning model, may function to receive an input ofone or more strings of texts or one or more distinct sentences or wordsand generate or output one or more vector representations of the textsor sentences.

In a second implementation, S220 may function to implement a word and/ora sentence embedding technique including a universal sentence encoder(USE), such as a Deep Averaging Network method, which functions toaverage sentence embeddings of a target input of textual data and passesthe resultant averages through a feedforward network or the like togenerate a vector representation for each target segment of text data.Preferably, the USE may be trained using a range of supervised andunsupervised tasks.

In a third implementation, S220 may function to implement a word and/ora sentence embedding technique including a smooth inverse frequency(SIF). Using the SIF technique, S220 may function to compute a weightedaverage of sentence embeddings for each target segment of text data. Inthis second implementation, the weighted average for each target segmentof user input may be determined based on a word frequency.

In a fourth implementation, S220 may function to implement as a wordand/or a sentence embedding technique a simple average of sentenceembeddings. That is, S220 may function to compute an unweighted averageof sentence embeddings that preferably may not allow for preferentialweightings based on one or more characteristics of a target segment oftext data.

Additionally, or alternatively, S220 may function to select one or moreof a plurality of distinct word and/or sentence embeddings techniquesbased on attributes or characteristics of a given corpus of contentdata. For instance, S220 may function to select a first embeddingstechnique of a plurality of distinct embeddings techniques based on anaverage length of the distinct strings (i.e., average number of tokensin a string) of text within a corpus of content data. Thus, S220 mayfunction to select from one of any available sentence embeddingstechniques, such as the sentence embeddings techniques described in theabove implementations, based on one or more characteristics of thecontent data. In some embodiments, S220 may function to select acombination of two or more distinct sentence embeddings techniques forgenerating sentence embeddings for a target corpus of content data.

It shall be recognized that any suitable or combination of word and/orsentence embeddings techniques and/or services may be implemented inS220 for computing sentence embeddings for a given corpus of contentdata.

2.30 Similarity Computation|Mapping to Corpus of Historical Embeddings

S230, which includes implementing a similarity computation, may functionto compute one or more similarity metric values for a given electroniccommunication based on embeddings data for the given electroniccommunication and embeddings data of a corpus of historical electroniccommunications. In some embodiments, a corpus of historical electroniccommunication may be sourced on a per subscriber basis. In suchembodiments, an evaluation of a target suspicious electroniccommunication from a given subscriber may be performed against thecorpus of historical electronic communications (e.g., electroniccommunications received by the given subscriber) sourced from the givensubscriber. However, it shall be recognized that a global corpus ofhistorical electronic communications may be used that includes acollection of historical electronic communications sourced from multiplesubscribers and other sources of sample electronic communications.

In a first implementation, S230 may function to perform a similaritysearch within embeddings data of a corpus of historical observedcommunications using embeddings values of a given electroniccommunication. In one or more embodiments, S230 may function to performthe similarity search to identify historical electronic communicationshaving similar or same embeddings values as the given corpus of contentdata for the given electronic communication.

In this first implementation, the similarity search within embeddingsdata of the corpus of historical electronic communications may beperformed using an average of the embeddings values of a given corpus ofcontent data. In a variant, S230 may function to perform a plurality ofsearches within the corpus of historical electronic communications usingeach distinct word and/or sentence embeddings value within the givencorpus of content data.

In one or more embodiments, the similarity search may additionally, oralternatively include an assessment of a subject corpus of content dataagainst the embeddings data of the corpus of historical electroniccommunications. In a particular embodiment, S230 may function assess theone or more embeddings values of a corpus of content data for a givenelectronic communication against a plurality of distinct embeddings ofthe corpus of historical electronic communications.

Additionally, or alternatively, in one embodiment, S230 may function togenerate a plurality of distinct pairwise between the embeddings of thesubject corpus of content data and the embeddings of each of theplurality of distinct embeddings of the corpus of historical electroniccommunications. In such embodiment, S230 may function to compute a rawdistinct value between the members of each of the plurality of distinctpairwise. In one embodiment, the computation between the members of thepairwise includes computing a sum difference between the embeddingsvalue of the subject corpus of content data and the embeddings value ofone of the embeddings of the corpus of historical electroniccommunications.

In a preferred embodiment, S230 may function to compute a similaritymetric value for a given pairwise using cosine distance/similarity. Insuch preferred embodiment, S230 may function to identify a theta anglebetween each of the members within a subject pairwise and calculate thecosine of the theta angle. Preferably, the cosine of the theta angle fora given pairwise corresponds to or includes the similarity metric valuefor and/or assigned to the given pairwise.

In a second implementation, S230 may function to perform a similaritycomputation based on mapping each word and/or sentence embeddings valuesof a given corpus of content data for an electronic communication in ann-dimensional space that includes embeddings vector values for eachdistinct member of a corpus of historical electronic communications. Inthis second implementation, S230 may function to identify clusters ofembeddings of historical electronic communications surrounding one ormore embeddings of the given corpus of content data. In a preferredembodiment, either one or more embeddings of the given corpus of contentdata or an average embeddings value for the given corpus of content datamay be set or defined as a centroid for the identified clusters.Accordingly, in such preferred embodiment, S230 may function to set apredetermined radius from the centroid to define a scope and/or size ofa relevant cluster for additional assessment and/or evaluation.

Similar to the first implementation, in the second implementation, S230may function to define pairwise between an embeddings of a given corpusof content data and each of a plurality of distinct embeddings of thecorpus of historical electronic communication that may be within anidentified cluster. Likewise, a similarity metric value for a givenpairwise may be computed based on a raw distance value computationand/or a cosine distance value for the given pairwise, as previouslydescribed.

2.4 Surfacing Threat Intelligent for Investigation+Remediation Support

S240, which includes generating phishing threat intelligence data, mayfunction to identify a cognate set of one or more malicious electroniccommunications based on an evaluation (e.g., S230) each of the computedsimilarity metric values for a given electronic communication.

In one or more embodiments, S240 may function to identify one or morecognate or similar malicious communications based on identifying the oneor more historical electronic communications producing similarity metricvalues satisfying or exceeding a phishing threat threshold or asimilarity threshold. Preferably, the phishing threat threshold or thesimilarity threshold relates to a minimum similarity metric value orscore that may indicate a high or statistically significant degree ofsimilarity between two compared pieces of content or comparedembeddings.

Thus, in such embodiments, S240 may function to compute phishing threatintelligence data that includes a cognate set or a plurality ofhistorical electronic communications having a sufficient or high degreeof relatedness to a given corpus of content data for an electroniccommunication.

In one or more embodiments, S240 may additionally or alternativelyfunction to rank each of the plurality of historical electroniccommunications within a returned set based on an assigned similaritymetric value. For instance, S240 may function to rank historicalelectronic communications in sequential order from first to last basedon a highest similarity metric value being the first ranked and thelowest similarity metric value between the last ranked.

Accordingly, for each of the plurality of historical electroniccommunications provided with the phishing threat intelligence data, S240may function to automatically access each of an original electroniccommunication data for each of the plurality of historical electroniccommunications in a cognate set and augment the original electroniccommunication data to the phishing threat intelligence data. In one ormore embodiments, the original electronic communication data may includeone or more the original content of the communication, a sender'scommunication address and domain, any attachments, any hyperlinks,and/or any suitable attribute of the original communication.

Additionally, or alternatively, S240 may function to automaticallyaugment to or automatically include within the phishing threatintelligence data similar electronic communications data from previouslyremediated security alerts. In this way, duplicate emails may be avoidedor may be known during an evaluation and/or handling of a pending orreal-time security alert.

Additionally, or alternatively, S240 may function to generate phishingthreat intelligence data that identifies or includes criteria and/orattributes that are drivers or signals that encouraged the one or moresimilarity metric values. For instance, S240 may function to addcriteria such as, but not limited to, domain match, attachment match,timing (of send) requirements, content match, and/or the like.

Additionally, or alternatively, S240 may function to generate aprobability of phishing score for a given corpus of content data basedon the phishing intelligence data and preferably, generate a proposedremediation action based on the phishing intelligence data and/or theprobability of phishing score. In some embodiments, the method 200includes a spectrum or continuum of phishing criteria and/or phishingthresholds that each correspond to a proposed remediation action. Insuch embodiments, S240 may function to assess the phishing score for agiven corpus of content data to the phishing criteria and output aproposed remediation action that is most recently satisfied by thephishing score.

Machine Learning-Based Phishing Threat Score

Additionally, or alternatively, S240 may function to implement aphishing machine learning model that may function to compute apredictive inference for identifying electronic communications thatinvolve a threat of phishing or scam. In one or more embodiments, thepredictive inference comprises a phishing threat score (value) or asuspicious communication threat score that indicates a likelihood or aprobability that a target electronic communication may be a maliciouscommunication, a phishing communication, and/or a fraudulentcommunication created by an online attacker or the like with an intentto misappropriate information via trickery or by defrauding a recipientof the target electronic communication. In such embodiments, thephishing threat score may be a value in any suitable alphanumeric rangeor gradient-based ranges including, but not limited to, values between0-100, A-z, and/or the like.

In a preferred embodiment, S240 may function to compute, via thephishing threat score based on an input of feature vectors derived fromone or more corpora of feature data extracted from a suspiciouselectronic communication. In one or more embodiments, an algorithmicstructure of the phishing machine learning model may be configured witha plurality of distinct learnable parameters that map to feature vectorscomputed for distinct attributes of a typical electronic communicationincluding, but not limited to, a text body, domains, attachment types,communication header or subject, and/or the like. Accordingly, S240 mayfunction to implement a specifically configured feature extractor thatextracts feature data of a plurality of components of an electroniccommunication and vectorize each of the plurality of components asinputs to corresponding learnable/learned parameters of the phishingthreat model for computing a cybersecurity threat inference and/orphishing threat score.

Additionally, or alternatively, in an evaluation of phishing threatintelligence data, S240 may function to evaluate a computed phishingthreat score for a target electronic communication against a pluralityof distinct phishing threat score ranges. In one or more embodiments,each of the plurality of distinct phishing threat score ranges may beassociated with or mapped to one of a plurality of distinctcybersecurity event disposal or threat mitigation routes. Accordingly,in some embodiments, the method 200 may function to identify a distinctscore range of a target phishing threat score and select a cybersecurityevent disposal or threat mitigation route based on the phishing threatscore having a score value that is within the distinct score range ofthe cybersecurity route of the plurality of distinct cybersecuritythreat mitigation routes.

In some embodiments, the phishing machine learning model comprises anensemble of distinct (phishing) machine learning models that may operatein combination to compute or produce the predictive inference fordetermining whether a target communication may be malicious ornon-malicious. In such embodiments, each machine learning model may betrained with one or more corpora of labeled training data comprising aplurality of distinct training samples of malicious (adverse) ornon-malicious (non-adverse) electronic communications.

2.5 Accelerated Cybersecurity Investigation Support

S250, which includes surfacing the phishing threat intelligence data,may function to automatically return or provide the phishing threatintelligence data as a part of potentially malicious communication or asan augmentation to security alert data. In this way, the phishing threatintelligence data may be used to support or enable an acceleratedhandling of one or more cybersecurity investigation actions including,but not limited to, escalating (i.e., validating a security alert) orde-escalating a pending cybersecurity investigation or causing aninitialization of one or more new cybersecurity investigations forresolving one or more cybersecurity threats that may be imminent and/orthat may include potentially compromised computing systems and/orcomputing resources.

In one or more embodiments, S250 may function to accelerate acybersecurity event detection and/or investigation of a targetelectronic communication via automatically bypassing one or morepredetermined cybersecurity event investigation steps for handlingcybersecurity events involving suspicious electronic communications.That is, in some embodiments, a system or a service implementing themethod 200 may implement cybersecurity detection and/or investigationpolicy having a plurality of distinct (sequence of) steps forsuccessfully handling a cybersecurity event involving a potentiallymalicious electronic communication. In such embodiments, if the phishingthreat intelligence data derived for a target potentially harmfulelectronic communication includes one or more historical phishingelectronic communications returned on the basis of similarity to thetarget electronic communication, S250 may function to automaticallybypass one or more detection and/or investigation steps of the distinctsteps for handling the cybersecurity event based on the potential rapididentification of the target electronic communication as being maliciousor as being a phishing communication.

In one or more embodiments, the automatic bypass may include generatingor proposing one or more cybersecurity threat mitigation routes ordisposals based on identifying the historical threat mitigation actionsor threat mitigation routes previously executed for the historicallysimilar electronic communications surfaced based on the evaluated of thetarget suspicious electronic communication. In other words, S250 mayfunction to produce one or more proposed (or recommended) cybersecuritythreat handling or cybersecurity threat response actions for the targetsuspicious electronic communication by borrowing the cybersecuritythreat response to the one or more similar historical electroniccommunications, as described in U.S. Provisional Application No.63/239,716, which is incorporated herein in its entirety by thisreference.

Accordingly, in such embodiments, S250 may function to recycle aprevious cybersecurity threat response to one or more of the similar orsame historical electronic communications to the target suspiciouselectronic communication thereby accelerating a cybersecurity detectionand mitigation of the target suspicious electronic communication bypotentially bypassing one or more automated or semi-automatedcybersecurity threat investigation steps and cybersecurity threatresponse steps.

In one or more embodiments, when the phishing threat intelligence dataincludes a computed phishing threat score for the target suspiciouselectronic communication, S250 may function to accelerate acybersecurity event detection and investigation of a target electroniccommunication via rapidly identifying a cybersecurity event or threatmitigation route of a plurality of distinct cybersecurity event routes.That is, in such embodiments, S250 may automatically bypasssubstantially all or potentially all cybersecurity event investigationsteps (e.g., investigation data sourcing, aggregation, and investigationdata analysis, etc.) based on a machine learning-based phishing threatscore for the target electronic communication and automaticallydecisioning the cybersecurity event disposal or threat mitigation routebased solely or mainly on the computed phishing threat score.

In one embodiment, the method includes identifying an electronicsender's address based on the one or more corpora of feature data fromthe suspicious electronic communication, wherein the electronic sender'saddress (e.g., sender's email address) identifies a communicationaddress of a sender of the suspicious electronic communication. In suchembodiments, the method 200 may function to evaluate the electronicsender's address against historical sender data associated with theplurality of historical electronic communications of one or moresubscriber or the like. In some embodiments, S250 may function to createa search query that includes the electronic sender's address and performa search of a repository having the historical sender data. In someembodiments, the electronic sender's address may be converted to avector and a search performed of a vectorized database of the historicalsender data. Accordingly, S250 may function to bypass one or morepredetermined cybersecurity threat investigation steps for resolvingcybersecurity threats involving one or more suspicious electroniccommunications based on the evaluation of the electronic sender'saddress. Additionally, or alternatively, routing data associated withthe suspicious electronic communication to one of the plurality ofdistinct cybersecurity threat mitigation routes may be based on theevaluation of the electronic sender's address.

Additionally, or alternatively, the method 200 may include identifying acorpus of historical submissions of suspicious electronic communicationsof the subscriber submitting the suspicious electronic communication. Insuch embodiments, the method 200 may function to evaluate the corpus ofhistorical submissions of suspicious electronic communications made bythe subscriber (e.g., the submitter) and compute an acceleration ordeceleration priority (value or the like) for the suspicious electroniccommunication based on the evaluation of the corpus of historicalsubmissions of suspicious electronic communications. An acceleration ordeceleration priority, as referred to herein, preferably relates to alikelihood or probability that a target suspicious electroniccommunication includes a degree of cybersecurity threat or risksatisfying or exceeding a threat threshold (e.g., a maximum threat valuethat if satisfied or exceeded indicates a high probability of loss orrisk resulting from the suspicious electronic communication).Accordingly, S250 may function to re-prioritize the suspiciouselectronic communication within a queue of pending suspicious electroniccommunications based on the acceleration priority. In this way, pendingsuspicious electronic communications having a high cybersecurity threatmay be handled expeditiously in advance of other pending suspiciouselectronic communication having a lower cybersecurity threat.

3. Computer-Implemented Method and Computer Program Product

Embodiments of the system and/or method can include every combinationand permutation of the various system components and the various methodprocesses, wherein one or more instances of the method and/or processesdescribed herein can be performed asynchronously (e.g., sequentially),concurrently (e.g., in parallel), or in any other suitable order byand/or using one or more instances of the systems, elements, and/orentities described herein.

Although omitted for conciseness, the preferred embodiments may includeevery combination and permutation of the implementations of the systemsand methods described herein.

As a person skilled in the art will recognize from the previous detaileddescription and from the figures and claims, modifications and changescan be made to the preferred embodiments of the invention withoutdeparting from the scope of this invention defined in the followingclaims.

What is claimed:
 1. A method implemented by one or more computers foraccelerating a detection of a cybersecurity event and executing acybersecurity remediation, the method comprising: computing, by a textembedding model, an array of embeddings based on content feature dataextracted from a target electronic communication; identifying anelectronic sender's address based on the content feature data from thetarget electronic communication, wherein the electronic sender's addressidentifies a communication address of a sender of the target electroniccommunication; performing an embedding search of a corpus of embeddingsof a plurality of distinct historical electronic communications based onthe array of embeddings of the target electronic communication;evaluating the electronic sender's address against historical senderdata associated with one or more historical electronic communications;identifying at least one distinct historical electronic communicationbased on the performance of the embedding search; identifying whetherthe target electronic communication is one of a malicious electroniccommunication or a non-malicious communication based on an evaluation ofthe target electronic communication against the at least one distincthistorical communication; bypassing one or more predeterminedcybersecurity threat investigation steps for resolving cybersecuritythreats involving one or more target electronic communications based onthe evaluation of the electronic sender's address; and accelerating ahandling of a cybersecurity event associated with the target electroniccommunication based on whether the target electronic communication isone of the malicious electronic communication or the non-maliciouscommunication, wherein the accelerating the handling of thecybersecurity event includes routing data associated with the targetelectronic communication to one of a plurality of distinct cybersecuritythreat mitigation routes based on the evaluation of the electronicsender's address and identifying the target electronic communication asthe malicious electronic communication.
 2. The method according to claim1, wherein performing the embedding search includes: computing a cosinedistance value between the array of embeddings of the target electroniccommunication and embeddings of the at least one distinct historicalelectronic communication of the corpus of embeddings.
 3. The methodaccording to claim 2, further comprising: deriving a similarity scorefor the at least one distinct historical communication based on thecosine distance value.
 4. The method according to claim 1, whereinidentifying the at least one distinct historical electroniccommunication includes returning the at least one distinct historicalelectronic communication if a computed similarity score associated withthe at least one distinct historical electronic communication satisfiesan electronic communication similarity threshold.
 5. The methodaccording to claim 1, wherein identifying whether the target electroniccommunication is one of the malicious electronic communication or thenon-malicious communication includes: evaluating a content of the targetelectronic communication against a content of the at least one distincthistorical electronic communication, and validating the targetelectronic communication as the malicious electronic communication basedon a phishing similarity.
 6. The method according to claim 1, whereinidentifying whether the target electronic communication is one of themalicious electronic communication or the non-malicious communicationincludes: evaluating a content of the target electronic communicationagainst a content of the at least one distinct historical electroniccommunication, and validating the target electronic communication as thenon-malicious electronic communication based on a phishing similarity.7. The method according to claim 1, wherein the corpus of embeddings ofthe plurality of distinct historical electronic communications comprisesembeddings of a plurality of distinct historical malicious electroniccommunications.
 8. The method according to claim 1, wherein the corpusof embeddings of the plurality of distinct historical electroniccommunications comprises embeddings of (a) a plurality of distincthistorical malicious electronic communications and (b) a plurality ofdistinct historical non-malicious electronic communications.
 9. Themethod according to claim 1, wherein accelerating the detection of thecybersecurity event includes automatically bypassing one or morepredetermined cybersecurity threat investigation steps for resolvingcybersecurity threats involving the target electronic communicationbased on identifying the target electronic communication as themalicious electronic communication.
 10. A method implemented by one ormore computers for accelerating a disposal of a suspected cybersecurityevent, the method comprising: identifying a suspected maliciouselectronic communication and an electronic sender's address of thesuspected malicious electronic communication, wherein the electronicsender's address identifies a communication address of a sender of thesuspected electronic communication; extracting a corpus of contentfeature data from the suspected malicious electronic communication;converting the corpus of content feature data of the suspected maliciouselectronic communication to model input of feature vectors; evaluatingthe electronic sender's address against historical sender dataassociated with one or more historical electronic communications;computing, by a phishing machine learning model, a cybersecurity threatinference comprising a phishing threat score based on the model input offeature vectors of the suspected malicious electronic communication,wherein the phishing threat score indicates a likelihood that a targetelectronic communication comprises an adverse electronic communicationor a malicious electronic communication; bypassing one or morepredetermined cybersecurity threat investigation steps for resolvingcybersecurity threats involving the suspected malicious electroniccommunication based on the evaluation of the electronic sender'saddress; and accelerating a handling of a cybersecurity event associatedwith the suspected malicious electronic communication based on whetherthe target electronic communication is one of the malicious electroniccommunication or the non-malicious communication, wherein theaccelerating the handling of the cybersecurity event associated with thesuspected malicious electronic communication includes routing dataassociated with the suspected malicious electronic communication to oneof a plurality of distinct cybersecurity threat mitigation routes basedon the evaluation of the electronic sender's address and identifying thesuspected malicious electronic communication as the malicious electroniccommunication.
 11. The method according to claim 10, wherein analgorithmic structure of the phishing machine learning model comprises aplurality of distinct learnable parameters for computing thecybersecurity threat inference that map at least to feature vectorscomputed for each of (1) a text body of the target electroniccommunication and (2) a web-based domain of a sender of the suspectedmalicious electronic communication.
 12. The method according to claim10, wherein: each of a plurality of distinct score ranges of a potentialphishing threat score is associated with each of the plurality ofdistinct cybersecurity threat mitigation routes, wherein the routingincludes: evaluating the phishing threat score against the plurality ofdistinct score ranges of the potential phishing threat score; andselecting a distinct cybersecurity threat mitigation route based on thephishing threat score having a score value that is within a distinctscore range of the distinct cybersecurity threat mitigation route of theplurality of distinct cybersecurity threat mitigation routes.
 13. Asystem for accelerating a cybersecurity event detection and remediation,the system comprising: a text embedding system that computes, using atext embedding model, an array of embeddings based on content featuredata extracted from a target electronic communication; a cybersecurityevent identification service implemented by one or more computers that:identify a corpus of historical submissions of suspected maliciouselectronic communications; perform an embedding search of a corpus ofembeddings of a plurality of distinct historical electroniccommunications based on the array of embeddings of the target electroniccommunication; identify at least one distinct historical electroniccommunication based on the performance of the embedding search; identifywhether the target electronic communication is one of a maliciouselectronic communication or a non-malicious communication based on anevaluation of the target communication against the at least one distincthistorical electronic communication; evaluate the corpus of historicalsubmissions of suspected malicious electronic communications and computean acceleration or a deceleration priority for the target electroniccommunication based on the evaluation of the corpus of historicalsubmissions of suspected malicious communications; and accelerate ahandling of a cybersecurity event associated with the target electroniccommunication based on whether the target electronic communication isone of the malicious electronic communication or the non-maliciouscommunication that includes (1) a prioritization of the targetelectronic communication within a queue of pending electroniccommunications based on the computation of the acceleration or thedeceleration priority and (2) routing data associated with the targetelectronic communication to one of the plurality of distinctcybersecurity threat mitigation routes based on identifying the targetelectronic communication as the malicious electronic communication. 14.The system according to claim 13, further comprising: a machine learningsystem that: computes, using a phishing machine learning model, acybersecurity threat inference comprising a phishing threat score basedon an input of content feature data extracted from the target electroniccommunication, wherein the phishing threat score indicates a likelihoodthat a target electronic communication comprises an adverse electroniccommunication or the malicious electronic communication.